I wrote the FoxyProxy for Firefox and Chrome web extensions. The Firefox version has a good logging mechanism, although no modification capabilities. Are you looking for contributors?

Wow, FoxyProxy is very popular on Firefox. I'd definitely love to discuss this. Can you please drop a hi at sachin@requestly.io

I'm interested in this for its potential reverse engineering apps on Android. I've had some success with `mitmproxy` but I'm wondering what other HN-ers use for this purpose.

I've been building a list of apps and libraries in this space. In no particular order:

https://requestly.io/

https://portswigger.net/burp

https://dutzi.github.io/tamper/

https://anyproxy.io/en/

https://wproxy.org/whistle/

https://www.telerik.com/fiddler

https://github.com/alibaba/lightproxy

https://httptoolkit.tech/

https://mitmproxy.org/

https://wiki.squid-cache.org/Features/SslPeekAndSplice

https://www.charlesproxy.com/

https://nssurge.com/

https://wrapapi.com/proxy

https://www.privoxy.org/

http://www.tofuproxy.stargrave.org/

https://github.com/http-party/node-http-proxy

https://github.com/joeferner/node-http-mitm-proxy

https://www.zaproxy.org/

https://proxyman.io

Note that any properly made android app will pin its certificates and disallow user-added certificates, so you'll only see garbage go through. You need to install your certificate as a system certificate, which either requires root, or using the emulator.

great collection. You can also create a Github awesome repo collection like awesome-requests-proxy-tools

Second that. Would be most useful, especially if maintained. I myself am still on fiddler

UPDATE: did that myself, but wish someone takes over. I only check for new and better stuff once in 3 years. The community deserves someone better.

https://github.com/michaelkariv/awesome-requests-proxy-list

I use burp suite(community version) for the same purpose along with frida. There is also Brida[1] its sort of a bridge between both of them.

Something which I don't like is that every time I need the traffic to go through burp I need to go the WiFi settings and modify the "advance option" to use proxy. And if I keep the proxy settings on all the time then I've had issues with playstore and other such app, on the testing device. So that small bit of manual work is what I don't like.

In another comment[2] they mentioned they'll be releasing an android interceptor which would work without proxy, I think that would make me try this.

[1] [https://github.com/federicodotta/Brida](https://github.com/f...

[2] [https://news.ycombinator.com/item?id=30541263](https://news....

I recently used Fiddler along with Frida[1] to deal with cert pinning in the app I was looking into.

[1] https://github.com/httptoolkit/frida-android-unpinning

Sweet, thanks for the link.

I was looking for something like this. Tried mitmproxy but it was useless against cert pinning. So I went with decompiling the app to extract the auth keys and urls for the internal API it was using.

Is there a way to deal cert pinning without decompiling the app?

Here's my setup (for private projects, work stuff is under NDA):

- Android device running Android 10 (generally using older versions is better) - Magisk for root + Trust User Certificates module - mitmproxy (sometimes using mitmweb) - ProxyDroid to connect to mitmproxy - Frida with a one of a handful open source SSL pinning bypass scripts (and a custom one at work)

When network requests aren't enough, I reach for JADX-GUI for decompilation and Frida (REPL and custom scripts) for extracting data at runtime (taking the necessary "cleanroom" precautions for commercial projects).

Same. mitmproxy (and its built-in mitmdump lib), along w/ the (criminally obscure / amazing) lnav (https://lnav.org), have served me very well in the past for this kind of thing.

I have seen Inav earlier but never used it. Does it also provide response modification capabilities?

No, at least not out of the box, bc that's outside its intended realm; lnav (short for log navigator) is like a mini-ETL CLI powertool w/ embedded SQLite. You can pipe (semi/)structured data in, then query and optionally transform and/or export it out. Its API makes it convenient for chaining w/ tools like mitmproxy, so you could do almost anything with it in a custom script pipeline.

This looks great! Congratulations. I particularly like the "shortcuts" to common actions like "Insert JS/CSS". That's very useful!

I want to also give a shoutout to https://proxyman.io/. Proxyman is a native Mac App that also works as a local proxy and is a pleasure to use. I've been using it for similar workflows and can highly recommend it over Charles (the SSL handling alone is 100x simpler).

Insert JS is one of the most used features. Requestly also allows adding multiple scripts which are loaded sequentially So you can basically add a library URL like jQuery and write a code block which depends upon jQuery. Proxyman is a very good tool. No doubt over it. SSL handling is a challenge and I just don't like the way we have to setup things for Mobile app debugging, that's the trigger for building the native SDK for us.

I too used to use paid-version of Charles and then moved to Proxyman. I particularly like the scripting ability in Proxyman.

Interesting! What was the trigger point to move to Proxyman. How did you port the configurations you already had in Charles? Did you have to recreate them?

Proxyman looks like something I always wanted: does it allow you to say "when any browsers/webpage request this URL {url}, return this {content} instead of the original one"? And if it works like that, does anyone know something like that for Windows? Thanks!

Yes, You can do this with Requestly desktop app. You can use Modify Response feature to just specify a URL then specify the status code you need like 400 or 500 and then you can also specify what content do you want to return.

Requestly also lets you write a simple JS script to change something in the existing content. Here are some references for you - About Modify Response (https://requestly.io/feature/modify-response/), Change Status Code (https://stackoverflow.com/questions/50923170/simulate-fake-4...).

And yes, Requestly is available on Windows too.

Honest question, why use a company product over free tools like zap or even burp for this?

Zap and burp are more optimized towards security testing. There's definitely some overlap in terms of network requests interception but the capabilities on top of interception varies a lot So It depends upon your use case. If you are an application developer/QA you will find zap & burp to be an overkill solution for even simplest of things.

Congratulation! We are big fans of Requestly at Caido as we are building something somewhat similar for the infosec community (https://caido.io).

Requestly feels good and there is a lot of potential for production debugging. I particularly like the switching of API endpoint so you can use the live prod website with a local API, super useful to debug.

If your interest extends to debugging production backends you can also check out Lightrun ( https://lightrun.com ) which continues this all the way through.

Lightrun looks really interesting. Have you personally used lightrun to debug anything directly in production? I saw the video on landing page and very curious to know how it works under the hood.

Sure. It works differently for every language/platform e.g. for Java it uses a JVMTI agent. This connects to the backend server which then connects to the IDE.

This lets you send action commands to production without having a debug session into you K8S cloud.

Very Interesting that you brought K8s. In the K8s cluster, an API request could be hitting one of the multiple PODs so how does the JVMTI agent know which pod to connect to? I am definitely missing something here.

You need to install the agent in all the pods in the cluster. You can then pick a specific one or use tags to target a set of them.

So you can add a conditional snapshot (a breakpoint that doesn't break) to the set of green containers. E.g. I can add a snapshot that has a condition to only grab the data for user X. I'll get the result regardless of the container that actually handles the request.

How does it compare with https://httptoolkit.tech/

httptoolkit is open-source. this one doesn't seem so: no mention of open source on either homepage, nor on this Show HN intro

There's a site I use that checks for membership only on the client side and I use requestly to spoof premium status. Just had to write a simple script like this to modify the response body of the request that gets membership status:

  function modifyResponse(args) {
    const {method, url, response, responseType, requestHeaders, requestData} = args;
    const responseDataParsed = JSON.parse(response);
    responseDataParsed.result.user.vip_end = "2030-06-11T14:16:20.000Z";
    responseDataParsed.result.user.expire_in = "3573 days, 3 hours";
    responseDataParsed.result.user.is_premium = true;
    return JSON.stringify(responseDataParsed);
  }

Very nice software.

FYI - We are adding a support for responseJSON in the arguments so you can just write the above code like this

function modifyResponse(args) { const {method, url, response, responseType, requestHeaders, requestData, responseJSON} = args;

    responseJSON.result.user.vip_end = "2030-06-11T14:16:20.000Z";
    responseJSON.result.user.expire_in = "3573 days, 3 hours";
    responseJSON.result.user.is_premium = true;
    return responseJSON;
  }

This is clever. How was the experience with Modify API Response? Were you able to figure out everything on your own or Was there a learning curve?

I wrote it over a year ago so I don't remember exactly but I think there was a template when you went to make a new script that made it easy. Had to google some things but I don't think it took me more than 15 minutes.

I don't see any obvious links to mobile debugging in the features list or the FAQ. I see you mention an SDK here in the comment, but is there any links to docs on this?

I frequently use Charles/Fiddler, but always interested in new offerings. Congrats on the release!

@jwong_ We are about to do a public release of Android SDK. Here are a couple of things which we did for internal purpose only (& WIP) but still sharing to give you an idea

https://youtu.be/gs02m2pZJlQ (Demo Video)

https://requestly.io/android-interceptor/ (WIP - Landing Page)

I'd be really happy to discuss further on this approach. I believe this is going to make things really easy for developers.

Thanks for the links!

Curious on the body -- you showed some JSON requests, but do image resources or other larger responses also get proxied and viewable from browser?

For example, sometimes I like to view large minified JS blobs or images. Would that be viewable in the browser?

Also, what do the production vs debugging logs look like? Do you just run a special debugging build or is that a flag triggered within preferences? So e.g., would a user be able to turn debugging on to give extra logs to support staffs?

Our Native SDK provides listening to API Requests and Analytics events in your app. In order to view JS blogs or Images, you can use the desktop app - https://requestly.io/desktop

We provide the capability that you can disable the SDK in production builds and enable only in the debug builds. And yes we are going to provide the capability using which you can download or share the APIs and events sessions with your support staff.

With the desktop app, could network requests from .NET apps / more traditional software be intercepted / listened to?

Yes, this should be possible. You can always open a new issue here - https://github.com/requestly/requestly/issues if you need help with anything.

Why would I use requestly for Android when perfectly good alternatives already exist ? Flipper (https://fbflipper.com/) lets me do all of this (viewing, mocks, etc), with the same setup. And it's extensible too. HTTP Toolkit offers the proxying solution to it. Is there anything that might be different ?

Thank you for asking this and This is a very good question. The way we are building Requestly is to be used within teams, test different case-cases, have them on cloud and use them again & again without setting up everything from scratch. Collaboration is an essential feature which is missing in this space. To give you an example - A developer working in E-Commerce domain has mocked an API to return empty slots for a cart, (s)he'd like to share it with the team so that anyone in the team can use the same configuration while making any changes in those files. Now, Think of a Repository of Rules available in your company when you have to test different scenarios. When you work on a particular component, you can just enable different configurations and test them out easily without having to know how to set those configurations up. I believe this really improves onboarding and efficiency in testing your code.

Requestly is awesome. I use it almost daily and to be honest I don't understand how this is not a native tool inside browser dev tools. It's such a simple idea yet so powerful. Thanks for your work

wow thanks! I believe Requestly is ChromeDevTools++ and Our vision is to make MobileDevTools++ and BackendDevTools++ really soon.

I've been using the Browser extension for years and it is incredibly helpful. We use it to debug scripts on customer websites by making them resolve to our local instance so that we can test fixes quickly.

I would recommend some sort of graphic on the homepage to explain what Requestly does though, as you mention it can be confused with Postman when it's entirely different. Maybe an animated flowchart type graphic showing how a browser request to X is redirected to Y based on some Requestly rule.

So glad to hear this. This is really good feedback. Noted this down. We will soon make this live. We already have an animated gif at https://requestly.io/feature/redirect-url/

Do you mean to say we should have an animated flowchart for the hero image on the page?

Yeah that image is exactly what I was thinking. I clicked the link in the post which was the download page which I mistake for the homepage.

This makes me realize that we need to improve upon the downloads page too. Noted this down. Feel free to drop me a Hi at sachin@requestly.io

On iOS, the header doesn’t stick at the top of the page.

thank you for informing this! Making the fix.

Congratulations! Looks super cool!

How challenging will it be to continue offering Chrome browser extension with the v3 manifest changes related to the blocking webRequest API? Does it impact requestly?

The Linux page, https://requestly.io/downloads/linux/, has MacOS instructions instead of Linux.

That's a very good question. Manifest V3 changes heavily impact Requestly because we use webRequest API to intercept the network requests. We have already started evaluating what works and what not.

A couple of things which I see right away not being supported directly in Manifest V3 are like adding a random parameter to URL to avoid caching, Inserting a script before page load etc.

Apart from this, from a couple of folks whom I know have migrated to Manifest V3 their users have faced some issues So I'd be most likely wait for another 4-5 months before doing the migration. Do you have any pointers for v2 to v3 migration?

Thanks for the tip about the Linux page.

This is a fantastic story of how you created your success with Requestly. I wish you continued success!

Congratulations Sachin. You truly showed perseverance. Glad to see Requestly take off !!!

I was quite impressed when I needed to modify some requests on the fly and this was the only browser extension that let me do more than just add/remove headers.

Actually using it, however, I was completely lost. The way groups work was completely unintuitive and it took me way too long to figure out how to even enable a rule. I ended up writing an ad-hoc extension because it was easier than figuring out a whole new tool.

Still, it looks like a really powerful tool and a lot of people on my team swear by it, so congrats!

Could you compare Requestly with Proxyman in terms of mobile debugging capabilities? Proxyman has especially well developed flow for installing certificates that allow the proxying without having to change the app's source code. I have not see other apps match that and it is incredibly helpful for only semi-technical QA workers who might not always have a dev team willing to integrate random SDKs only to make their life easier. The only problem with Proxyman is that randomly, its local proxy server may stop being reachable from the phone on the same network. I don't know why this happens.

We also have a desktop app which works very similarly in terms of setting up proxy and installing the certificates. The fundamentals with which we are building Requestly makes it different from other tools in this space. We intend Requestly to be used by team, easy re-use of the mocking configurations. The intent to go with SDK based approach is that it is one-time setup while using an external proxy will always require you to configure your phone every time which is painful. Like you said, local proxy servers can be flaky sometimes and you may eventually end up spending more time on the tool rather than your actual work.

If it's iOS devices, the iOS version of Charles proxy is really easy to set up (no computer needed). You can export and send of the capture for later viewing in the desktop app.

Looks great, I look forward to trying it out. Just FYI clicking the "Upgrade to premium" link bottom left of the application takes me to a blank navy screen. Then I have to close and re-open Requestly.

On the way to fixing this bug. Looking forward to your feedback when you try it out.

I found requestly organically a few months back and love it, great tool.

Do you happen to remember how did you find Requestly? Was it google search and which query?

Does it actually have an Android app? A play store button shows up, but it's linked to /#. It either shows up for every platform & browser or the url is missing.

We don't have an Android app. We intended to take it to the "Requestly for Android" page. We are building our SDK landing page and we want to link it there. Thanks for the feedback.

You could likely benefit from having a designer look at your onboarding flow. I get it's a developer tool, but the Docs, Pricing and Homepage are completely different colour schemes (Pricing defaults to dark on my machine) and this comes across as a disjointed product (and is quite an easy win!).

Sure, it's a dev-tool and we're not as fussed about design. But the pricing page has so much going on at once that I struggled to concentrate on the product-offer. Same goes for the Homepage where I can see 7 different forms of accreditation before you explain what the product is. Have some video's, or animations showing the tool in action. I took me waaay too long to realise it wasn't a Postman offering.

Thank you for the feedback. Landing pages need more work. We've recently worked on our pricing page so I'd really appreciate if you can provide more insights into what can be improved on the pricing page.

I think the pricing page might be trying to hard. You typically see the endorsements and "also used by..." on the home page or success story type pages. If I rip out everything between the plans and the FAQ the result is much calmer (to me) and I can focus on the difference between the offerings.

Maybe A/B test the page with and without all the ratings/endorsements and see if one leads to better conversion.

thanks for the tip. AB test on pricing page is very tricky. One challenge which with the A/B test on pricing page is that we need to wait for like weeks to get substantial data in terms of conversions. For example - 40 vs 32 wouldn't be significant enough to conclude. I'd try to learn how can we experiment on the pricing page. I do get your point, this page needs more work in terms of experience.

I would love to have this capability for iOS apps.

We will soon move to IOS after launching our Android SDK. Please drop me a Hi at sachin@requestly.io and I'd be happy to learn more about your use cases in IOS and I will inform you when its available.

Have you tried the on-device iOS version of Charles proxy? I use it all the time and find it handier than any computer based solution.

Folks in the windows ecosystem have had the benefit of Fiddler for more than a decade now. Glad to see a more universal solution.

Some of our customers use Requestly on Windows & Mac to test their sites and that too across browsers. I am glad that there's more demand for a universal solution. We are based on top of electron So it was comparatively easier to build cross-platform solution although yes we have to handle the nuances of all different OS and the versions.

Congrats, we've been using Requestly for some time now for Theneo and we absolutetely love it!

So glad to hear this.

Congrats on launching. Looks awesome.

Thanks @sidcool. Would love to have your feedback if you get a chance to try out the product :)

How well does this work with websockets / rpc-json? (Ethereum nodes)

We have just started working on adding websocket. gRPC and rpc-json are in the pipeline.

Happy to help beta test.

You are an inspiration to me.

So humble of you. Drop me an email at sachin@requestly.io if you want to chat further and if there's anything I can help you with.

I saw the video of your mobile app debugging. Makes it very convenient for mobile development. Thanks for the work